xref: /openssh-portable/audit-bsm.c (revision 57ed647e)
18fe07945SDarren Tucker /*
28fe07945SDarren Tucker  * TODO
38fe07945SDarren Tucker  *
48fe07945SDarren Tucker  * - deal with overlap between this and sys_auth_allowed_user
58fe07945SDarren Tucker  *   sys_auth_record_login and record_failed_login.
68fe07945SDarren Tucker  */
78fe07945SDarren Tucker 
88fe07945SDarren Tucker /*
98fe07945SDarren Tucker  * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
108fe07945SDarren Tucker  * Use is subject to license terms.
118fe07945SDarren Tucker  *
128fe07945SDarren Tucker  * Redistribution and use in source and binary forms, with or without
138fe07945SDarren Tucker  * modification, are permitted provided that the following conditions
148fe07945SDarren Tucker  * are met:
158fe07945SDarren Tucker  * 1. Redistributions of source code must retain the above copyright
168fe07945SDarren Tucker  *    notice, this list of conditions and the following disclaimer.
178fe07945SDarren Tucker  * 2. Redistributions in binary form must reproduce the above copyright
188fe07945SDarren Tucker  *    notice, this list of conditions and the following disclaimer in the
198fe07945SDarren Tucker  *    documentation and/or other materials provided with the distribution.
208fe07945SDarren Tucker  *
218fe07945SDarren Tucker  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
228fe07945SDarren Tucker  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
238fe07945SDarren Tucker  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
248fe07945SDarren Tucker  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
258fe07945SDarren Tucker  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
268fe07945SDarren Tucker  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
278fe07945SDarren Tucker  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
288fe07945SDarren Tucker  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
298fe07945SDarren Tucker  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
308fe07945SDarren Tucker  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
318fe07945SDarren Tucker  *
328fe07945SDarren Tucker  */
338fe07945SDarren Tucker /* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
348fe07945SDarren Tucker 
358fe07945SDarren Tucker #include "includes.h"
368fe07945SDarren Tucker #if defined(USE_BSM_AUDIT)
378fe07945SDarren Tucker 
3856799c3fSDamien Miller #include <sys/types.h>
3956799c3fSDamien Miller 
4047bda1ffSDarren Tucker #include <errno.h>
41acada07bSDarren Tucker #include <netdb.h>
42ded319ccSDamien Miller #include <stdarg.h>
43acada07bSDarren Tucker #include <string.h>
4456799c3fSDamien Miller #include <unistd.h>
4556799c3fSDamien Miller 
4693a2d415SDarren Tucker #ifdef BROKEN_BSM_API
4793a2d415SDarren Tucker #include <libscf.h>
4893a2d415SDarren Tucker #endif
4993a2d415SDarren Tucker 
508fe07945SDarren Tucker #include "ssh.h"
518fe07945SDarren Tucker #include "log.h"
523e714514SDarren Tucker #include "hostfile.h"
538fe07945SDarren Tucker #include "auth.h"
548fe07945SDarren Tucker #include "xmalloc.h"
558fe07945SDarren Tucker 
568fe07945SDarren Tucker #ifndef AUE_openssh
578fe07945SDarren Tucker # define AUE_openssh     32800
588fe07945SDarren Tucker #endif
598fe07945SDarren Tucker #include <bsm/audit.h>
608fe07945SDarren Tucker #include <bsm/libbsm.h>
618fe07945SDarren Tucker #include <bsm/audit_uevents.h>
628fe07945SDarren Tucker #include <bsm/audit_record.h>
638fe07945SDarren Tucker #include <locale.h>
648fe07945SDarren Tucker 
658fe07945SDarren Tucker #if defined(HAVE_GETAUDIT_ADDR)
668fe07945SDarren Tucker #define	AuditInfoStruct		auditinfo_addr
678fe07945SDarren Tucker #define AuditInfoTermID		au_tid_addr_t
688fe07945SDarren Tucker #define SetAuditFunc(a,b)	setaudit_addr((a),(b))
698fe07945SDarren Tucker #define SetAuditFuncText	"setaudit_addr"
708fe07945SDarren Tucker #define AUToSubjectFunc		au_to_subject_ex
718fe07945SDarren Tucker #define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
728fe07945SDarren Tucker #else
738fe07945SDarren Tucker #define	AuditInfoStruct		auditinfo
748fe07945SDarren Tucker #define AuditInfoTermID		au_tid_t
758fe07945SDarren Tucker #define SetAuditFunc(a,b)	setaudit(a)
768fe07945SDarren Tucker #define SetAuditFuncText	"setaudit"
778fe07945SDarren Tucker #define AUToSubjectFunc		au_to_subject
788fe07945SDarren Tucker #define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
798fe07945SDarren Tucker #endif
808fe07945SDarren Tucker 
81acada07bSDarren Tucker #ifndef cannot_audit
828fe07945SDarren Tucker extern int	cannot_audit(int);
83acada07bSDarren Tucker #endif
848fe07945SDarren Tucker extern void	aug_init(void);
858fe07945SDarren Tucker extern void	aug_save_auid(au_id_t);
868fe07945SDarren Tucker extern void	aug_save_uid(uid_t);
878fe07945SDarren Tucker extern void	aug_save_euid(uid_t);
888fe07945SDarren Tucker extern void	aug_save_gid(gid_t);
898fe07945SDarren Tucker extern void	aug_save_egid(gid_t);
908fe07945SDarren Tucker extern void	aug_save_pid(pid_t);
918fe07945SDarren Tucker extern void	aug_save_asid(au_asid_t);
928fe07945SDarren Tucker extern void	aug_save_tid(dev_t, unsigned int);
938fe07945SDarren Tucker extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
948fe07945SDarren Tucker extern int	aug_save_me(void);
958fe07945SDarren Tucker extern int	aug_save_namask(void);
968fe07945SDarren Tucker extern void	aug_save_event(au_event_t);
978fe07945SDarren Tucker extern void	aug_save_sorf(int);
988fe07945SDarren Tucker extern void	aug_save_text(char *);
998fe07945SDarren Tucker extern void	aug_save_text1(char *);
1008fe07945SDarren Tucker extern void	aug_save_text2(char *);
1018fe07945SDarren Tucker extern void	aug_save_na(int);
1028fe07945SDarren Tucker extern void	aug_save_user(char *);
1038fe07945SDarren Tucker extern void	aug_save_path(char *);
1048fe07945SDarren Tucker extern int	aug_save_policy(void);
1058fe07945SDarren Tucker extern void	aug_save_afunc(int (*)(int));
1068fe07945SDarren Tucker extern int	aug_audit(void);
1078fe07945SDarren Tucker extern int	aug_na_selected(void);
1088fe07945SDarren Tucker extern int	aug_selected(void);
1098fe07945SDarren Tucker extern int	aug_daemon_session(void);
1108fe07945SDarren Tucker 
1118fe07945SDarren Tucker #ifndef HAVE_GETTEXT
1128fe07945SDarren Tucker # define gettext(a)	(a)
1138fe07945SDarren Tucker #endif
1148fe07945SDarren Tucker 
1158fe07945SDarren Tucker extern Authctxt *the_authctxt;
1168fe07945SDarren Tucker static AuditInfoTermID ssh_bsm_tid;
1178fe07945SDarren Tucker 
11893a2d415SDarren Tucker #ifdef BROKEN_BSM_API
11993a2d415SDarren Tucker /* For some reason this constant is no longer defined
12093a2d415SDarren Tucker    in Solaris 11. */
12193a2d415SDarren Tucker #define BSM_TEXTBUFSZ 256
12293a2d415SDarren Tucker #endif
12393a2d415SDarren Tucker 
1248fe07945SDarren Tucker /* Below is the low-level BSM interface code */
1258fe07945SDarren Tucker 
1268fe07945SDarren Tucker /*
127acada07bSDarren Tucker  * aug_get_machine is only required on IPv6 capable machines, we use a
128acada07bSDarren Tucker  * different mechanism in audit_connection_from() for IPv4-only machines.
129acada07bSDarren Tucker  * getaudit_addr() is only present on IPv6 capable machines.
130acada07bSDarren Tucker  */
131acada07bSDarren Tucker #if defined(HAVE_AUG_GET_MACHINE) || !defined(HAVE_GETAUDIT_ADDR)
132acada07bSDarren Tucker extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
133acada07bSDarren Tucker #else
134acada07bSDarren Tucker static int
aug_get_machine(char * host,u_int32_t * addr,u_int32_t * type)135acada07bSDarren Tucker aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
136acada07bSDarren Tucker {
137acada07bSDarren Tucker 	struct addrinfo *ai;
138acada07bSDarren Tucker 	struct sockaddr_in *in4;
139acada07bSDarren Tucker 	struct sockaddr_in6 *in6;
140acada07bSDarren Tucker 	int ret = 0, r;
141acada07bSDarren Tucker 
142acada07bSDarren Tucker 	if ((r = getaddrinfo(host, NULL, NULL, &ai)) != 0) {
143acada07bSDarren Tucker 		error("BSM audit: getaddrinfo failed for %.100s: %.100s", host,
144acada07bSDarren Tucker 		    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
145acada07bSDarren Tucker 		return -1;
146acada07bSDarren Tucker 	}
147acada07bSDarren Tucker 
148acada07bSDarren Tucker 	switch (ai->ai_family) {
149acada07bSDarren Tucker 	case AF_INET:
150acada07bSDarren Tucker 		in4 = (struct sockaddr_in *)ai->ai_addr;
151acada07bSDarren Tucker 		*type = AU_IPv4;
152acada07bSDarren Tucker 		memcpy(addr, &in4->sin_addr, sizeof(struct in_addr));
153acada07bSDarren Tucker 		break;
154acada07bSDarren Tucker #ifdef AU_IPv6
155acada07bSDarren Tucker 	case AF_INET6:
156acada07bSDarren Tucker 		in6 = (struct sockaddr_in6 *)ai->ai_addr;
157acada07bSDarren Tucker 		*type = AU_IPv6;
158acada07bSDarren Tucker 		memcpy(addr, &in6->sin6_addr, sizeof(struct in6_addr));
159acada07bSDarren Tucker 		break;
160acada07bSDarren Tucker #endif
161acada07bSDarren Tucker 	default:
162acada07bSDarren Tucker 		error("BSM audit: unknown address family for %.100s: %d",
163acada07bSDarren Tucker 		    host, ai->ai_family);
164acada07bSDarren Tucker 		ret = -1;
165acada07bSDarren Tucker 	}
166acada07bSDarren Tucker 	freeaddrinfo(ai);
167acada07bSDarren Tucker 	return ret;
168acada07bSDarren Tucker }
169acada07bSDarren Tucker #endif
170acada07bSDarren Tucker 
17193a2d415SDarren Tucker #ifdef BROKEN_BSM_API
17293a2d415SDarren Tucker /*
17393a2d415SDarren Tucker   In Solaris 11 the audit daemon has been moved to SMF. In the process
17493a2d415SDarren Tucker   they simply dropped getacna() from the API, since it read from a now
17593a2d415SDarren Tucker   non-existent config file. This function re-implements getacna() to
17693a2d415SDarren Tucker   read from the SMF repository instead.
17793a2d415SDarren Tucker  */
17893a2d415SDarren Tucker int
getacna(char * auditstring,int len)17993a2d415SDarren Tucker getacna(char *auditstring, int len)
18093a2d415SDarren Tucker {
18193a2d415SDarren Tucker 	scf_handle_t *handle = NULL;
18293a2d415SDarren Tucker 	scf_property_t *property = NULL;
18393a2d415SDarren Tucker 	scf_value_t *value = NULL;
18493a2d415SDarren Tucker 	int ret = 0;
18593a2d415SDarren Tucker 
186*57ed647eSDamien Miller 	/*
187*57ed647eSDamien Miller 	 * The man page for getacna on Solaris 10 states we should return -2
188*57ed647eSDamien Miller 	 * in case of error and set errno to indicate the error. We don't
189*57ed647eSDamien Miller 	 * bother with errno here, though, since the only use of this function
190*57ed647eSDamien Miller 	 * below doesn't check for errors anyway.
191*57ed647eSDamien Miller 	*/
19293a2d415SDarren Tucker 	handle = scf_handle_create(SCF_VERSION);
19393a2d415SDarren Tucker 	if (handle == NULL)
194*57ed647eSDamien Miller 		return -2;
19593a2d415SDarren Tucker 
19693a2d415SDarren Tucker 	ret = scf_handle_bind(handle);
19793a2d415SDarren Tucker 	if (ret == -1)
19893a2d415SDarren Tucker 		return -2;
19993a2d415SDarren Tucker 
20093a2d415SDarren Tucker 	property = scf_property_create(handle);
20193a2d415SDarren Tucker 	if (property == NULL)
20293a2d415SDarren Tucker 		return -2;
20393a2d415SDarren Tucker 
20493a2d415SDarren Tucker 	ret = scf_handle_decode_fmri(handle,
20593a2d415SDarren Tucker 	    "svc:/system/auditd:default/:properties/preselection/naflags",
20693a2d415SDarren Tucker 	    NULL, NULL, NULL, NULL, property, 0);
20793a2d415SDarren Tucker 	if (ret == -1)
20893a2d415SDarren Tucker 		return -2;
20993a2d415SDarren Tucker 
21093a2d415SDarren Tucker 	value = scf_value_create(handle);
21193a2d415SDarren Tucker 	if (value == NULL)
21293a2d415SDarren Tucker 		return -2;
21393a2d415SDarren Tucker 
21493a2d415SDarren Tucker 	ret = scf_property_get_value(property, value);
21593a2d415SDarren Tucker 	if (ret == -1)
21693a2d415SDarren Tucker 		return -2;
21793a2d415SDarren Tucker 
21893a2d415SDarren Tucker 	ret = scf_value_get_astring(value, auditstring, len);
21993a2d415SDarren Tucker 	if (ret == -1)
22093a2d415SDarren Tucker 		return -2;
22193a2d415SDarren Tucker 
22293a2d415SDarren Tucker 	scf_value_destroy(value);
22393a2d415SDarren Tucker 	scf_property_destroy(property);
22493a2d415SDarren Tucker 	scf_handle_destroy(handle);
22593a2d415SDarren Tucker 
22693a2d415SDarren Tucker 	return 0;
22793a2d415SDarren Tucker }
22893a2d415SDarren Tucker #endif
22993a2d415SDarren Tucker 
230acada07bSDarren Tucker /*
2318fe07945SDarren Tucker  * Check if the specified event is selected (enabled) for auditing.
2328fe07945SDarren Tucker  * Returns 1 if the event is selected, 0 if not and -1 on failure.
2338fe07945SDarren Tucker  */
2348fe07945SDarren Tucker static int
selected(char * username,uid_t uid,au_event_t event,int sf)2358fe07945SDarren Tucker selected(char *username, uid_t uid, au_event_t event, int sf)
2368fe07945SDarren Tucker {
2378fe07945SDarren Tucker 	int rc, sorf;
2388fe07945SDarren Tucker 	char naflags[512];
2398fe07945SDarren Tucker 	struct au_mask mask;
2408fe07945SDarren Tucker 
2418fe07945SDarren Tucker 	mask.am_success = mask.am_failure = 0;
2428fe07945SDarren Tucker 	if (uid < 0) {
2438fe07945SDarren Tucker 		/* get flags for non-attributable (to a real user) events */
2448fe07945SDarren Tucker 		rc = getacna(naflags, sizeof(naflags));
2458fe07945SDarren Tucker 		if (rc == 0)
2468fe07945SDarren Tucker 			(void) getauditflagsbin(naflags, &mask);
2478fe07945SDarren Tucker 	} else
2488fe07945SDarren Tucker 		rc = au_user_mask(username, &mask);
2498fe07945SDarren Tucker 
2508fe07945SDarren Tucker 	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
2518fe07945SDarren Tucker 	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
2528fe07945SDarren Tucker }
2538fe07945SDarren Tucker 
2548fe07945SDarren Tucker static void
bsm_audit_record(int typ,char * string,au_event_t event_no)2558fe07945SDarren Tucker bsm_audit_record(int typ, char *string, au_event_t event_no)
2568fe07945SDarren Tucker {
2578fe07945SDarren Tucker 	int		ad, rc, sel;
2588fe07945SDarren Tucker 	uid_t		uid = -1;
2598fe07945SDarren Tucker 	gid_t		gid = -1;
2608fe07945SDarren Tucker 	pid_t		pid = getpid();
2618fe07945SDarren Tucker 	AuditInfoTermID	tid = ssh_bsm_tid;
2628fe07945SDarren Tucker 
2638fe07945SDarren Tucker 	if (the_authctxt != NULL && the_authctxt->valid) {
2648fe07945SDarren Tucker 		uid = the_authctxt->pw->pw_uid;
2658fe07945SDarren Tucker 		gid = the_authctxt->pw->pw_gid;
2668fe07945SDarren Tucker 	}
2678fe07945SDarren Tucker 
2688fe07945SDarren Tucker 	rc = (typ == 0) ? 0 : -1;
2698fe07945SDarren Tucker 	sel = selected(the_authctxt->user, uid, event_no, rc);
2708fe07945SDarren Tucker 	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
2718fe07945SDarren Tucker 	if (!sel)
2728fe07945SDarren Tucker 		return;	/* audit event does not match mask, do not write */
2738fe07945SDarren Tucker 
2748fe07945SDarren Tucker 	debug3("BSM audit: writing audit new record");
2758fe07945SDarren Tucker 	ad = au_open();
2768fe07945SDarren Tucker 
2778fe07945SDarren Tucker 	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
2788fe07945SDarren Tucker 	    pid, pid, &tid));
2798fe07945SDarren Tucker 	(void) au_write(ad, au_to_text(string));
2808fe07945SDarren Tucker 	(void) au_write(ad, AUToReturnFunc(typ, rc));
2818fe07945SDarren Tucker 
28293a2d415SDarren Tucker #ifdef BROKEN_BSM_API
283*57ed647eSDamien Miller 	/*
284*57ed647eSDamien Miller 	 * The last argument is the event modifier flags. For some seemingly
285*57ed647eSDamien Miller 	 * undocumented reason it was added in Solaris 11.
286*57ed647eSDamien Miller 	 */
28793a2d415SDarren Tucker 	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
28893a2d415SDarren Tucker #else
2898fe07945SDarren Tucker 	rc = au_close(ad, AU_TO_WRITE, event_no);
29093a2d415SDarren Tucker #endif
29193a2d415SDarren Tucker 
2928fe07945SDarren Tucker 	if (rc < 0)
2938fe07945SDarren Tucker 		error("BSM audit: %s failed to write \"%s\" record: %s",
2948fe07945SDarren Tucker 		    __func__, string, strerror(errno));
2958fe07945SDarren Tucker }
2968fe07945SDarren Tucker 
2978fe07945SDarren Tucker static void
bsm_audit_session_setup(void)2988fe07945SDarren Tucker bsm_audit_session_setup(void)
2998fe07945SDarren Tucker {
3008fe07945SDarren Tucker 	int rc;
3018fe07945SDarren Tucker 	struct AuditInfoStruct info;
3028fe07945SDarren Tucker 	au_mask_t mask;
3038fe07945SDarren Tucker 
3048fe07945SDarren Tucker 	if (the_authctxt == NULL) {
3058fe07945SDarren Tucker 		error("BSM audit: session setup internal error (NULL ctxt)");
3068fe07945SDarren Tucker 		return;
3078fe07945SDarren Tucker 	}
3088fe07945SDarren Tucker 
3098fe07945SDarren Tucker 	if (the_authctxt->valid)
3108fe07945SDarren Tucker 		info.ai_auid = the_authctxt->pw->pw_uid;
3118fe07945SDarren Tucker 	else
3128fe07945SDarren Tucker 		info.ai_auid = -1;
3138fe07945SDarren Tucker 	info.ai_asid = getpid();
3148fe07945SDarren Tucker 	mask.am_success = 0;
3158fe07945SDarren Tucker 	mask.am_failure = 0;
3168fe07945SDarren Tucker 
3178fe07945SDarren Tucker 	(void) au_user_mask(the_authctxt->user, &mask);
3188fe07945SDarren Tucker 
3198fe07945SDarren Tucker 	info.ai_mask.am_success  = mask.am_success;
3208fe07945SDarren Tucker 	info.ai_mask.am_failure  = mask.am_failure;
3218fe07945SDarren Tucker 
3228fe07945SDarren Tucker 	info.ai_termid = ssh_bsm_tid;
3238fe07945SDarren Tucker 
3248fe07945SDarren Tucker 	rc = SetAuditFunc(&info, sizeof(info));
3258fe07945SDarren Tucker 	if (rc < 0)
3268fe07945SDarren Tucker 		error("BSM audit: %s: %s failed: %s", __func__,
3278fe07945SDarren Tucker 		    SetAuditFuncText, strerror(errno));
3288fe07945SDarren Tucker }
3298fe07945SDarren Tucker 
3308fe07945SDarren Tucker static void
bsm_audit_bad_login(const char * what)3318fe07945SDarren Tucker bsm_audit_bad_login(const char *what)
3328fe07945SDarren Tucker {
3338fe07945SDarren Tucker 	char textbuf[BSM_TEXTBUFSZ];
3348fe07945SDarren Tucker 
3358fe07945SDarren Tucker 	if (the_authctxt->valid) {
3368fe07945SDarren Tucker 		(void) snprintf(textbuf, sizeof (textbuf),
3378fe07945SDarren Tucker 			gettext("invalid %s for user %s"),
3388fe07945SDarren Tucker 			    what, the_authctxt->user);
3398fe07945SDarren Tucker 		bsm_audit_record(4, textbuf, AUE_openssh);
3408fe07945SDarren Tucker 	} else {
3418fe07945SDarren Tucker 		(void) snprintf(textbuf, sizeof (textbuf),
3428fe07945SDarren Tucker 			gettext("invalid user name \"%s\""),
3438fe07945SDarren Tucker 			    the_authctxt->user);
3448fe07945SDarren Tucker 		bsm_audit_record(3, textbuf, AUE_openssh);
3458fe07945SDarren Tucker 	}
3468fe07945SDarren Tucker }
3478fe07945SDarren Tucker 
3488fe07945SDarren Tucker /* Below is the sshd audit API code */
3498fe07945SDarren Tucker 
3508fe07945SDarren Tucker void
audit_connection_from(const char * host,int port)3518fe07945SDarren Tucker audit_connection_from(const char *host, int port)
3528fe07945SDarren Tucker {
3538fe07945SDarren Tucker 	AuditInfoTermID *tid = &ssh_bsm_tid;
3548fe07945SDarren Tucker 	char buf[1024];
3558fe07945SDarren Tucker 
3568fe07945SDarren Tucker 	if (cannot_audit(0))
3578fe07945SDarren Tucker 		return;
3588fe07945SDarren Tucker 	debug3("BSM audit: connection from %.100s port %d", host, port);
3598fe07945SDarren Tucker 
3608fe07945SDarren Tucker 	/* populate our terminal id structure */
3618fe07945SDarren Tucker #if defined(HAVE_GETAUDIT_ADDR)
3628fe07945SDarren Tucker 	tid->at_port = (dev_t)port;
3638fe07945SDarren Tucker 	aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
3648fe07945SDarren Tucker 	snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
3658fe07945SDarren Tucker 	    tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
3668fe07945SDarren Tucker 	debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
3678fe07945SDarren Tucker #else
3688fe07945SDarren Tucker 	/* this is used on IPv4-only machines */
3698fe07945SDarren Tucker 	tid->port = (dev_t)port;
3708fe07945SDarren Tucker 	tid->machine = inet_addr(host);
3718fe07945SDarren Tucker 	snprintf(buf, sizeof(buf), "%08x", tid->machine);
3728fe07945SDarren Tucker 	debug3("BSM audit: machine ID %s", buf);
3738fe07945SDarren Tucker #endif
3748fe07945SDarren Tucker }
3758fe07945SDarren Tucker 
3768fe07945SDarren Tucker void
audit_run_command(const char * command)3778fe07945SDarren Tucker audit_run_command(const char *command)
3788fe07945SDarren Tucker {
3798fe07945SDarren Tucker 	/* not implemented */
3808fe07945SDarren Tucker }
3818fe07945SDarren Tucker 
3828fe07945SDarren Tucker void
audit_session_open(struct logininfo * li)383ea52a829SDarren Tucker audit_session_open(struct logininfo *li)
3848fe07945SDarren Tucker {
3858fe07945SDarren Tucker 	/* not implemented */
3868fe07945SDarren Tucker }
3878fe07945SDarren Tucker 
3888fe07945SDarren Tucker void
audit_session_close(struct logininfo * li)389ea52a829SDarren Tucker audit_session_close(struct logininfo *li)
3908fe07945SDarren Tucker {
3918fe07945SDarren Tucker 	/* not implemented */
3928fe07945SDarren Tucker }
3938fe07945SDarren Tucker 
3948fe07945SDarren Tucker void
audit_event(struct ssh * ssh,ssh_audit_event_t event)3959b655dc9SDamien Miller audit_event(struct ssh *ssh, ssh_audit_event_t event)
3968fe07945SDarren Tucker {
3978fe07945SDarren Tucker 	char    textbuf[BSM_TEXTBUFSZ];
3988fe07945SDarren Tucker 	static int logged_in = 0;
3998fe07945SDarren Tucker 	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
4008fe07945SDarren Tucker 
4018fe07945SDarren Tucker 	if (cannot_audit(0))
4028fe07945SDarren Tucker 		return;
4038fe07945SDarren Tucker 
4048fe07945SDarren Tucker 	switch(event) {
4058fe07945SDarren Tucker 	case SSH_AUTH_SUCCESS:
4068fe07945SDarren Tucker 		logged_in = 1;
4078fe07945SDarren Tucker 		bsm_audit_session_setup();
4088fe07945SDarren Tucker 		snprintf(textbuf, sizeof(textbuf),
4098fe07945SDarren Tucker 		    gettext("successful login %s"), user);
4108fe07945SDarren Tucker 		bsm_audit_record(0, textbuf, AUE_openssh);
4118fe07945SDarren Tucker 		break;
4128fe07945SDarren Tucker 
4138fe07945SDarren Tucker 	case SSH_CONNECTION_CLOSE:
4148fe07945SDarren Tucker 		/*
4158fe07945SDarren Tucker 		 * We can also get a close event if the user attempted auth
4168fe07945SDarren Tucker 		 * but never succeeded.
4178fe07945SDarren Tucker 		 */
4188fe07945SDarren Tucker 		if (logged_in) {
4198fe07945SDarren Tucker 			snprintf(textbuf, sizeof(textbuf),
4208fe07945SDarren Tucker 			    gettext("sshd logout %s"), the_authctxt->user);
4218fe07945SDarren Tucker 			bsm_audit_record(0, textbuf, AUE_logout);
4228fe07945SDarren Tucker 		} else {
4238fe07945SDarren Tucker 			debug("%s: connection closed without authentication",
4248fe07945SDarren Tucker 			    __func__);
4258fe07945SDarren Tucker 		}
4268fe07945SDarren Tucker 		break;
4278fe07945SDarren Tucker 
4288fe07945SDarren Tucker 	case SSH_NOLOGIN:
4298fe07945SDarren Tucker 		bsm_audit_record(1,
4308fe07945SDarren Tucker 		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
4318fe07945SDarren Tucker 		break;
4328fe07945SDarren Tucker 
4338fe07945SDarren Tucker 	case SSH_LOGIN_EXCEED_MAXTRIES:
4348fe07945SDarren Tucker 		snprintf(textbuf, sizeof(textbuf),
4358fe07945SDarren Tucker 		    gettext("too many tries for user %s"), the_authctxt->user);
4368fe07945SDarren Tucker 		bsm_audit_record(1, textbuf, AUE_openssh);
4378fe07945SDarren Tucker 		break;
4388fe07945SDarren Tucker 
4398fe07945SDarren Tucker 	case SSH_LOGIN_ROOT_DENIED:
4408fe07945SDarren Tucker 		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
4418fe07945SDarren Tucker 		break;
4428fe07945SDarren Tucker 
4438fe07945SDarren Tucker 	case SSH_AUTH_FAIL_PASSWD:
4448fe07945SDarren Tucker 		bsm_audit_bad_login("password");
4458fe07945SDarren Tucker 		break;
4468fe07945SDarren Tucker 
4478fe07945SDarren Tucker 	case SSH_AUTH_FAIL_KBDINT:
4488fe07945SDarren Tucker 		bsm_audit_bad_login("interactive password entry");
4498fe07945SDarren Tucker 		break;
4508fe07945SDarren Tucker 
4518fe07945SDarren Tucker 	default:
4528fe07945SDarren Tucker 		debug("%s: unhandled event %d", __func__, event);
4538fe07945SDarren Tucker 	}
4548fe07945SDarren Tucker }
4558fe07945SDarren Tucker #endif /* BSM */
456